Black Hat: ICS Vendors Need to Test for Security

Thursday, August 7, 2014 @ 04:08 PM gHale

By Gregory Hale
Industrial control system vendors need to think about security more and they need to test and ensure their products are secure before they go out the door.

“Defense in depth starts with fundamentals and devices are part of the fundamentals,” said Stefan Lueders, Computer Security Officer at CERN during his Wednesday talk entitled “Why control systems suck” at Black Hat USA 2014 in Las Vegas.

The European Organization for Nuclear Research known as CERN is a European research organization whose purpose is to operate the world’s largest particle physics laboratory. Established in 1954, CERN headquarters are in Geneva and the organization has 21 European member states.

“We have control systems in quite a few different areas. Plenty of control systems at CERN and what pissed me off is there is no predictability,” Lueders said. “Safety systems were predictable. Not the control systems. Some of the bigger vendors are doing a good job, but some of the smaller vendors are not secure.”

In one case, Lueders talked about a deal he had with the people that worked for him. He would buy a bottle of wine if anyone could break into a device. One of his people found the root password in 30 seconds.

Right now, “security is not an integral part of the mindset, it is more of security through obscurity.”

Lueders said control system security professionals should not always have to reinvent the wheel. He said there are enough IT security devices and products that should take care of most OT issues.

One of those OT issues that always creep up, though, is patching.

“Patching must be prompt and agile,” he said. Lueders listed some of the main patching issues:
• Heavy compliance testing
• Rare maintenance windows
• Lots of legacy or old embedded devices
• Fears to break a $100,000 device

Lueders also pointed out problems when it comes to servicing an installation or facility:
• Default passwords and undocumented backdoors
• No integrated firewalls
• Very remote licensed servers for start up

“We need more robustness and resilience,” he said.

When it comes to security, the younger generation is hitting the workforce, but Lueders wonders if they are ready for the evolving and dynamic environment.

“Our kids are the users and programmers of the future. Is security taught too late in students’ academic careers? In Bachelor’s programs they don’t teach security only when they go into a Master’s program,” he said.

“Security needs to be automatic, just like swimming,” Lueders said. “When you are swimming you don’t think about safety, you just swim.”